Security

Hi!

I´m trying to change our current setup to allow users to use UPN to sign in to the wlan and then onboard their device also using their UPN. 

Before using samAccountName this was no problem, but some users don´t even know their samAccountName and We therefore want to use UPN wich is the same as their emailadress.

So making the service and ad-connection was no big issue, so I´ve got connecting to the wlan solved.

Simply change the service not to strip @ , and added 

(|(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))(&(objectClass=user)(userPrincipalName=%{Authentication:Username})))

To the filter of ad-connection.

But when trying to connect with a onboarded device. It simply will not work. I get "User not found in any authentication source". 

errorcode 201

When checking Access-tracker I see that it might be using the wrong username somehow.

I want to use firstname.lastname@domain.se

but it simply shows:

I´ve tried multiple things:

changing my AD-query to: Authentication-Fullname

and also changing my 

ONBOARD DEVICE REPOSITORY query to

SELECT user_credential(password) AS User_Password,

       CASE WHEN enabled = FALSE THEN 225

            WHEN ((start_time > now()) OR ((expire_time is not null) AND (expire_time <= now()))) THEN 226

            WHEN approval_status != 'Approved' THEN 227

            ELSE 0

       END AS Account_Status,

sponsor_name

FROM tips_guest_users

WHERE ((guest_type = 'USER') AND (user_id = mdps_username_to_serial('%{Authentication:Full-Username}')::text) AND (app_name = 'Onboard'))

But none of it seems to help.The annoying part is the log from access tracker states:

INFO RadiusServer.Radius - rlm_ldap: searching for user firstname.lastname@domain.se in AD:xxxxx  

wich looks correct, but still says 

ERROR RadiusServer.Radius - rlm_eap_tls: User not found in any authentication source, rejecting

in the end.

In this link a similar issue is discussed:

http://community.arubanetworks.com/t5/Security/onboard-device-repository-is-NOT-chosen-as-authentication-source/td-p/248951

Maybe the sql stuff mentioned at the end of the thread is not the same as I tried ?

Also the users UPN and samAccountName are complety different sadly...

You should not be changing anything other than the AD auth source query.

Make sure ONLY your AD source is listed as the auth source for your 802.1X service . You should not be attempting to authenticate against Onboard Device Repo.

We are using the same SSID for onboarding and 802.1x. And using computer authentication for corporateclients.

So I did as you said and removed onboard repository from the 802.1x service. Made no difference though, still cand find user in ad access tracker says.

Also check out these computed attributes from access tracker, Authentication:Username is totaly wrong...

OK, so the issue is not with Onboarded users, it's with corporate AD-joined machines receiving their certificates through ADCS?

No, sorry for the confusion. The 802.1x with corporate machines works fine they use AD-PKI. 

It´s when using UPN to onboard a device using Clearpass Onboarding CA. It worked fine using samAccountname for the onboarding, just not when we use UPN instead. Tried this with the same useraccount.

Also tried with and without stripping these in the service:

\:user,/:user

But makes no difference. Also tried stripping @ but then UPN logon to the WLAN stops working.

Sorry, this is very difficult to follow.

So you're saying the issue only occurs during the Onboard process or post-Onboard when the device authenticates using it's certificate?

Might be best to work with your ClearPass partner or Aruba TAC to work in realtime.

Yeah, sorry.

The onboarding process works fine the device is in the database and my UPN user is listed as owner of the device.

It´s when connecting to the WLAN after  the device has been onboarded that I get this issue.

Please post an access tracker export for the request.

Why are the Onboarded devices configured for machine authentication?

The Certificate is stored in the "local computer" not "local user". One person is responsible for the computer but several might use it. 

What looks strange to me is that

Shows up as:

authentication-username: firstname$

I thought it should be:

authentication-username: firstname.lastname@domain.se

This workflow is not going to work in your environment. You'll need to put them in the user store.

Shared devices under management should use centralized certificate enrollment via ADCS, SCEP or EST.

Th eonly other option is to stop doing authorization against AD and only validate the certificate itself.

Ok, good to know.

So if we change to user store for the certificate. What would happend if another user onboard the same device ? Would the previous users onboard of the same device still be valid ? 

You'd have to configure Onboard to allow multiple certificates to be issued to the same device.

Thanks for the help!

I changed to user store and now it works perfectly. We decided if multiple users share the same device, they will have to onboard the device for themself to get access.